Applies To: Cloud-managed Fireboxes
This help topic describes how to enable RADIUS Single Sign-On (SSO) for cloud-managed Fireboxes. For information about how to enable Active Directory Single Sign-On, see Enable Active Directory SSO for a Cloud-Managed Firebox. To learn how to configure and enable RADIUS SSO for locally-managed Fireboxes, see Enable RADIUS Single Sign-On.
RADIUS Single Sign-On (RSSO) enables users to automatically authenticate to the Firebox when they use RADIUS to authenticate to a RADIUS client, such as a wireless access point.
When you enable RADIUS SSO, the RADIUS-SSO-Users group and the Allow RADIUS SSO Users system policy are automatically created to allow outbound connections from users authenticated through RADIUS SSO. You can use this group, or you can create new groups that match the user group names on your RADIUS server.
To allow RADIUS accounting traffic from the RADIUS server to the Firebox, the Allow RADIUS SSO Service policy is also automatically created.
If you disable RADIUS SSO, the RADIUS-SSO-Users group and the Allow RADIUS SSO Users and Allow RADIUS SSO Service policies are automatically removed.
Before you enable RADIUS SSO on your Firebox, you must have this information:
- IP Address — The IP address of your RADIUS server
- Secret — Case-sensitive shared secret used to verify RADIUS messages between the RADIUS server and the Firebox
- Group Attribute — The RADIUS attribute number used to get group names from RADIUS accounting messages
Session Timeout and Idle Timeout
For RADIUS SSO, user sessions time out based on RADIUS SSO timeouts rather than the global authentication timeouts set on the Firebox. The RADIUS SSO settings include two timeout values.
The maximum length of time the user can send traffic to the external network. If you set this field to zero seconds, minutes, hours, or days, the session does not expire and the user can stay connected for any length of time.
The maximum length of time the user can stay authenticated when idle (not passing any traffic to the external network). If you set this field to zero seconds, minutes, hours, or days, the session does not time out when idle and the user can stay idle for any length of time.
If a user disconnects before these timeout limits are reached, the Firebox removes the session when it receives a RADIUS accounting STOP message that contains the user name and client IP address. For more information about RADIUS accounting messages, see About RADIUS Single Sign-On.
Configure the RADIUS Server
To enable RADIUS SSO, you must configure the RADIUS server to forward RADIUS accounting packets to a Firebox IP address on port 1813, and you must configure the shared secret used for communication between the RADIUS server and the Firebox.
Configure the Firebox
When you enable and configure the settings for RADIUS SSO on your Firebox, you must specify the IP address of the RADIUS server.
To enable and configure RADIUS SSO, from WatchGuard Cloud:
- Select Configure > Devices.
- Select the cloud-managed Firebox.
- Click Device Configuration.
- From the Authentication tile, click Settings.
- Select Single Sign-On.
- Enable Single Sign-On with RADIUS.
- In the IP Address text box, type the IP address of your RADIUS server.
- In the Secret text box, type the shared secret you configured on the RADIUS server. The shared secret is case-sensitive and must be the same on the Firebox and the RADIUS server.
- In the Group Attribute text box, specify the RADIUS attribute number that includes information about group membership. In most cases, the Filter-ID attribute (11) is used for this purpose.
- In the Session Timeout text box, type or select the maximum length of time the user can remain authenticated before the session times out.
- In the Idle Timeout text box, type or select the maximum length of time the user can be idle before the session times out.
- Click Save.
RADIUS SSO Policies and Groups
When you enable RADIUS SSO (RSSO), two policies are automatically added to your Firebox configuration:
- Allow RADIUS SSO Service — Allows RADIUS accounting traffic between the Firebox and the RADIUS server
- Allow RADIUS SSO Users — Allows outbound TCP and UDP traffic for RADIUS SSO authenticated users
RADIUS accounting messages include information about group membership for the authenticated user. The RADIUS-SSO-Users group on the Firebox automatically includes all users who are not a member of a group that exists on the Firebox. Outbound traffic for these users is allowed by the Allow RADIUS SSO Users policy.
If users who authenticate through RADIUS SSO are members of a group on the RADIUS server, you can create the same group on the Firebox, and then use that group name in policies. If a user authenticated through RADIUS SSO is a member of a group that exists on the Firebox, the user is not a member of the group RADIUS-SSO-Users, so you must create a policy to allow traffic for the user or group.